Which type of zone will allow different virtual systems to communicate with each other?
A. Tap
B. External
C. Virtual Wire
D. Tunnel
Correct Answer: B
An external zone is a type of zone that will allow different virtual systems to communicate with each other.
An external zone is a special zone that is shared by all virtual systems on the firewall and can be used to route traffic between virtual systems without leaving the firewall.
The external zone can also be used to route traffic to other zones within the same virtual system.
The other options are not correct. A tap zone is a type of zone that is used to passively monitor traffic without affecting the flow of packets. A virtual wire zone is a type of zone that is used to create a transparent bridge between two network
segments without changing the original IP addressing or routing.
A tunnel zone is a type of zone that is used to terminate VPN tunnels or other types of encapsulated traffic.
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?
A. Browser-supported cipher documentation
B. Cipher documentation supported by the endpoint operating system
C. URL risk-based category distinctions
D. Legal compliance regulations and acceptable usage policies
Correct Answer: D
The engineer should review the legal compliance regulations and acceptable usage policies with their leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This can raise privacy and legal concerns for the users and the organization. Therefore, the engineer should ensure that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category distinctions are not relevant for SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic based on any URL category, not just risk-based ones.
Question 13:
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Why would a traffic log list an application as "not-applicable"?
A. The firewall denied the traffic before the application match could be performed.
B. The TCP connection terminated without identifying any application data
C. There was not enough application data after the TCP connection was established
D. The application is not a known Palo Alto Networks App-ID.
Correct Answer: A
According to the documentation, not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service. This occurs because the traffic was dropped or denied before the application match could be performed.
References: 1 Not-applicable in Traffic Logs -Palo Alto Networks 2 Not-Applicable, Incomplete, Insufficient Data in the Application Field -Palo Alto Networks
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports
What can the engineer do to solve the VoIP traffic issue?
A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application
Correct Answer: D
According to the Palo Alto Networks documentation1, application-level gateway (ALG) is a feature that allows the firewall to inspect and modify the payload of some protocols, such as SIP, to enable NAT traversal and firewall policy enforcement. However, ALG can also cause issues with some VoIP implementations, such as modifying the SIP headers incorrectly or opening unnecessary pinholes for media ports. Therefore, disabling ALG under SIP application can help solve the VoIP traffic issue by preventing the firewall from altering the voice packets payload and opening dynamic pinholes2. Therefore, the correct answer is D. The other options are not relevant or helpful for solving the VoIP traffic issue: Disable ALG under H.323 application: This option would disable ALG for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, so disabling ALG under
H.323 application would have no effect on the VoIP traffic issue. Increase the TCP timeout under H.323 application: This option would increase the TCP timeout for H.323 protocol, which is another VoIP protocol, but not the one used in this scenario. The scenario mentions SIP as the signaling protocol, which uses UDP by default, so increasing the TCP timeout under H.323 application would have no effect on the VoIP traffic issue. Increase the TCP timeout under SIP application: This option would increase the TCP timeout for SIP protocol, which is the signaling protocol used in this scenario. However, SIP uses UDP by default, so increasing the TCP timeout would have no effect on the VoIP traffic issue. Moreover, increasing the TCP timeout would not address the problem of NAT on the voice packets payload and dynamic pinholes for media ports.
An engineer is configuring a firewall with three interfaces:
1.
MGT connects to a switch with internet access.
2.
Ethernet1/1 connects to an edge router.
3.
Ethernet1/2 connects to a visualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
A. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
B. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
C. Set DNS and Palo Alto Networks Services to use the MGT source interface.
D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority.
Match the default Administrative Distances for each routing protocol.
An administrator notices interface ethernet1/2 failed on the active firewall in an active I passive firewall high availability(HA) pair.
Based on the image below, what - if any - action was taken by the active firewall when the link failed?
A. No action was taken because interface ethernet1/1 did not fail.
B. The active firewall failed over to the passive HA member due to an AE1 Link Group failure.
C. No action was taken because Path Monitoring is disabled.
D. The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring "Failure Condition".
Correct Answer: A
Question 19:
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
A. A Deny policy for the tagged traffic
B. An Allow policy for the initial traffic
C. A Decryption policy to decrypt the traffic and see the tag
D. A Deny policy with the "tag" App-ID to block the tagged traffic
Correct Answer: AB
Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id- features/dynamic-user-groups https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy
Question 20:
Which new PAN-OS 11.0 feature supports IPv6 traffic?
A. DHCPv6 Client with Prefix Delegation
B. OSPF
C. DHCP Server
D. IKEvI
Correct Answer: A
According to the Palo Alto Networks documentation1, DHCPv6 Client with Prefix Delegation is a new feature in PAN-OS 11.0 that supports IPv6 traffic. This feature allows configuring an interface as a DHCPv6 client with prefix delegation,
which enables the interface to obtain an IPv6 prefix from a DHCPv6 server and assign IPv6 addresses to other interfaces on the firewall or downstream devices. Therefore, the correct answer is A. The other options are not new features in
PAN-OS 11.0 that support IPv6 traffic:
OSPF: This option is not a new feature in PAN-OS 11.0. OSPF is a routing protocol that supports both IPv4 and IPv6 traffic. It has been supported by PAN-OS since version 4.12. DHCP Server: This option is not a new feature in PAN-OS
11.0. DHCP Server is a feature that allows the firewall to act as a DHCP server and assign IP addresses to clients. It supports both IPv4 and IPv6 traffic. It has been supported by PAN-OS since version 5.03. IKEv1: This option is not a new feature in PAN-OS 11.0. IKEv1 is a protocol that supports both IPv4 and IPv6 traffic for establishing VPN tunnels. It has been supported by PAN-OS since version 3.04.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Palo Alto Networks exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PCNSE exam preparations and Palo Alto Networks certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
